I'm not sure I understand the question, but I think you are saying that the users password was configured to 'User must change password at next login' and once they attempted to login they could not change their password as prompted. I would guess that this is due to two likely culprits: 1) your password policy prevents the user from changing their password within a certain number of days, which they are within or 2) the password the user is entering does not meet the minimum complexity requirements. When you change a password from within ADUC you bypass these requirements.